js/chromex.agent.bz help

[Nataneil 0]

I get alert for virus found js/chromex.agent.bz I deleted all the extensions, uninstalled and installed google but even when I open google it keeps throwing me the js/chromex.agent.bz warning removed

help

[Marcos 5,074]

By checking detection details, it's very unlikely to be FP. Please provide logs collected with ESET Log Collector.

[Nataneil 0]

31 minutes ago, Marcos said:

By checking detection details, it's very unlikely to be FP. Please provide logs collected with ESET Log Collector.

Here's the file

 

essp_logs.zip

Edited June 12, 2023 by Nataneil

[Nataneil 0]

js/chromex.agent.bz help

essp_logs.zip

[Marcos 5,074]

"Sistema de pagos de Chrome Web Store" is the only suspicious extension in Chrome. Does removing it cease the detection?

[Pinocoon 0]

Suddenly today,　I ran into the same situation.

After logging out of my Google account, the message disappeared.

But when I log in to my google account again, the message reappears.

I still don't know the cause.

[Marcos 5,074]

4 hours ago, Pinocoon said:

But when I log in to my google account again, the message reappears.

I still don't know the cause.

Please provide logs collected with ESET Log Collector for perusal.

[Nataneil 0]

9 hours ago, Marcos said:

"Sistema de pagos de Chrome Web Store" is the only suspicious extension in Chrome. Does removing it cease the detection?

Sistema de pagos de Chrome Web Store" would this be like an extension? Where can I locate or remove that?

[itman 1,659]

2 hours ago, Nataneil said:

Sistema de pagos de Chrome Web Store" would this be like an extension?

This translates in English to Chrome Web Store Payment Systems. Based on this: https://developer.chrome.com/docs/webstore/money/ , it appears to be something related to how payments are made for the purchase of Chrome apps. The feature is also deprecated and no longer supported except for Chrome OS use. As such, I can't see how this extension could have been installed in the Chrome browser in Windows.

[Pinocoon 0]

Here your are.

If I log out of my google account (more precisely, if I disable sync) without deleting the extension,  the detection stopped.

eis_logs.zip

[miki1980 0]

A mi tambien me pasa lo mismo pero en este caso con el navegador Brave, siempre que lo abro me sale que a bloeado ese troyano llamado js/chromex.agent.bz, 

Parece ser un nuevo virus o un nuevo troyano porque el antivirus eset lo bloque y dice eliminarlo pero sigue saliendo el mensaje cada vez que abro brave.

Pase el antivirus al sistema y no lo detecta, pero cuando abro el brave si lo detecta y supuestamente lo elimina pero vuelve a aparecer cuando abro el brave.

 

Machine translation:

The same thing happens to me, but in this case with the Brave browser, every time I open it, it says that the Trojan called js/chromex.agent.bz has been blocked,

It seems to be a new virus or a new trojan because eset antivirus blocks it and says to remove it but it keeps getting the message every time I open brave.

I passed the antivirus to the system and it does not detect it, but when I open the brave it does detect it and supposedly eliminates it but it reappears when I open the brave.

Edited June 14, 2023 by Marcos
Machine translation added

[Marcos 5,074]

10 hours ago, Pinocoon said:

If I log out of my google account (more precisely, if I disable sync) without deleting the extension,  the detection stopped.

That means you have another machine with sync turned on where the troublesome extension is still installed.

[Marcos 5,074]

2 hours ago, miki1980 said:

It seems to be a new virus or a new trojan because eset antivirus blocks it and says to remove it but it keeps getting the message every time I open brave.

Since this is an English forum, we kindly ask you to post in English.

Most likely you have sync turned on, check sync settings by opening brave://settings/braveSync/setup.
Also post the appropriate record from the Detections log. Alternatively you can supply logs collected with ESET Log Collector.

 

[miki1980 0]

but the question is; is this a virus? or, what is it? js/chromex.agent.bz; and I don't understand what I have to do here? brave://settings/braveSync/setup.

[itman 1,659]

1 hour ago, miki1980 said:

but the question is; is this a virus? or, what is it? js/chromex.agent.bz; and I don't understand what I have to do here? brave://settings/braveSync/setup.

Assuming you have set up syncing from your Smart phone to the Brave browser, the malware Eset is detecting originates from your Smart phone. It is being transferred to your Brave browser whenever the sync processing runs.

You will have to remove the malware from the Smart phone. Until that is done, your only alternative is to disable syncing of your Smart phone to the Brave browser.

Ref.: https://support.brave.com/hc/en-us/articles/360021218111-How-do-I-set-up-Sync-

[miki1980 0]

smartphone? I use brave on my laptop, if you say it is a malware, then is it harmful to my operating system and security? how can i remove it? I passed the antivirus but it does not detect it, it only appears when I open brave and it says that it has been deleted, but every time I open brave the message that I attached in this comment appears again. how do i remove this malware?

[itman 1,659]

27 minutes ago, miki1980 said:

I open brave the message that I attached in this comment appears again. how do i remove this malware?

You removed the screen shot that originally was shown in your posting.

The screen shot showed that the JavaScript Eset is detecting originates from a C:\Windows\????Temp\ sub-directory. The process that accesses the script in this directory appears to be one that unzips extensions prior to loading\running it in the Brave browser. You need to identify what is creating this extension and stop it from doing so.

[miki1980 0]

itman . 

Thanks for answering. If I don't know how I can quote your message, well, my question is, is this malware dangerous? or better leave it like this?

[itman 1,659]

3 minutes ago, miki1980 said:

well, my question is, is this malware dangerous?

No, because Eset is detecting it and blocking it from executing.

[miki1980 0]

2 hours ago, itman said:

Assuming you have set up syncing from your Smart phone to the Brave browser, the malware Eset is detecting originates from your Smart phone. It is being transferred to your Brave browser whenever the sync processing runs.

You will have to remove the malware from the Smart phone. Until that is done, your only alternative is to disable syncing of your Smart phone to the Brave browser.

Ref.: https://support.brave.com/hc/en-us/articles/360021218111-How-do-I-set-up-Sync-

Are you sure it's not dangerous? Eset says that it has removed it, but why every time I open Brave it detects it again?

[itman 1,659]

2 hours ago, miki1980 said:

Eset says that it has removed it, but why every time I open Brave it detects it again?

The first question that needs to be answered is what is this C:\Windows\SystemTemp directory is about? Checking my Win 10 22H2 installation, I also have the sub-directory and it appears to have been created on 6/4/2023. No Win Update of any type ran on that date or the prior date. The directory is totally locked down, not even read access is allowed. As such, I am surprised Eset could detect anything resident in that directory.

This Github article: https://github.com/golang/go/issues/56899 states C:\Windows\SystemTemp directory was created as a Windows security hardening feature for Win 11. Looks like Microsoft also added the directory to Win 10 but possibly not used there?

In any case, I can't see how a Chrome extension could be created C:\Windows\SystemTemp unless something changed its Win access permissions to do so, then reestablished the original permissions. In any case, Eset can't delete the malicious extension from C:\Windows\SystemTemp because it doesn't have the permissions to do so it appears. Hence, the constant Eset notification when the malicious Chrome extension attempts to load into Brave.

[miki1980 0]

so what do you recommend? If the malware is not dangerous, do I leave it like that without doing anything? Or try to remove it? But if I am going to delete it, how can I delete it?

[BenCho 0]

Our company has also encountered the same situation recently. At present, about ten computers have detected this threat. It started to happen on June 12. I don’t know how to solve this Trojan threat.

 

 

 

[Nevermind 8]

4 hours ago, BenCho said:

Our company has also encountered the same situation recently. At present, about ten computers have detected this threat. It started to happen on June 12. I don’t know how to solve this Trojan threat.

On an unrelated note - you allow your (company) users to install any unverified browser extension. Be it a simple game, pseudo-useful tool, credentials harvesting ext. or a straight malware. Google store is far from a trustworthy source. If I were you I would block this possibility for all company PCs. Especially knowing there is CN "neighbor" nearby.

[DardaniaLion 1]

Hey guys,

I hope I can be helpful. I had similar issues for few days now and I started to try and sort this out. I looked careful what I have installed as extinctions on my google chrome. When I checked, I saw that one of the extinctions was corrupted and needed to either be repaired or removed and reinstalled. It was an extinction that translates text into speech or text from other languages into English. When I removed it, this virus threat was not coming up again. Have a look at your extinctions and see if one of them is corrupted and needs to be repaired or reinstalled. 

 

Let us know if it has solved the problem like it did for me.